Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2765494lqo; Tue, 14 May 2024 08:30:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUfJ2WA7n32fzsEzBo+447VHlbv3isbaftWGKovMWdXdhcgrfsgX2kfnchlKRfOIoEICN7vHQeR2BmlahLdPDjORwiWkoKLdbxBwCThIg== X-Google-Smtp-Source: AGHT+IFOmNTLjOzRpB3/oBoDt50X+9Uat2L3WOgEeGHoqyokeGu6Wh4iiLtya3d7Mb/Fn/PcWtF0 X-Received: by 2002:a54:410b:0:b0:3c7:2607:c541 with SMTP id 5614622812f47-3c997047223mr14054300b6e.13.1715700649190; Tue, 14 May 2024 08:30:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715700649; cv=pass; d=google.com; s=arc-20160816; b=YCzoKfQcUA9kSfet2d+9jzQCWvv8W32BWI8GbkI25+kzXAlJgdETgXLiuWvI44ZBkx Nd5V0v1aDwe2xN5FBE+FmVG0BjxHh2LIlPPoYHAIKn8nZXm2GIzINzGxrK1PdaxkY9RO Z8c/RAEmYg6VsdiEuJlhHDjdtLNQSdCZDlKe5f+1NB0ynujhOVIdZk0j7w33jDZke8EZ zxgM95bylicys8s7od6bOeYd7Y47hGsrTRjJ5hWVhwFsTo3IwpDHxr7lu6SSJBs0TNhw OnZazP9fG9nGlDcO0dPOFRI+wY7r24mbClI8zZgub+fKqAnK/f3u5CL5zLkUHdduz8Ux HfeQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature:dkim-signature; bh=cMU0cycSQi4vLfh7/25W3KQoM6b82GO/3X7DbVW9unI=; fh=IipO65WIY06GsLO+yH/d44KMdlCNwAHSKiCBR/jWP6Y=; b=bYT6P9So/e5YY18FKZN0drQjEbk4jye/Vl9EXzUwIYdqIOBdjw8rpcehHXJOSpLime NsV5775FFPGTr8uVfLCdRWLBhm7XEK6O9i/XLDSedTeylIOAzY3AQX7GVwZSsXAIEOEP zpt7eXzLyD5HXjKSOep3HQU4xvCPVpLMDmA+AY2YK4OowLu2maYjAUV4QZt+PBIG1Adn CyNkWKhKnqYV2kHz3tkuDZXdcVxUfARFdkcdAH+NGWTUdIu33tk9qAOJmlu/CpBCETR0 WVs1z7rNKV2rmtlI99oAuD/MPA2kGZqKm8WesVuBDz3nJvzGGD3KBPkhduKI0U9hxccU kDgw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b="sb+/5ww3"; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=gQL+LVF0; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-178861-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178861-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id af79cd13be357-792bf30b5a7si1189056485a.257.2024.05.14.08.30.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 08:30:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178861-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b="sb+/5ww3"; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=gQL+LVF0; arc=pass (i=1 spf=pass spfdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dkim=pass dkdomain=hansenpartnership.com dmarc=pass fromdomain=hansenpartnership.com); spf=pass (google.com: domain of linux-kernel+bounces-178861-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178861-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 909501C21CA4 for ; Tue, 14 May 2024 15:30:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BB28917EBA6; Tue, 14 May 2024 15:30:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="sb+/5ww3"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="gQL+LVF0" Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 707E317EB87; Tue, 14 May 2024 15:30:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715700638; cv=none; b=nz7gzSgusrkbQV/k7GwzNHVd3dUN+UgeW+FHZ51F7W8xYmgA6PlLJ76nlzyZUSBidVDLNVZsM4N9uM01M1o+110lF3kCMqDEhg0CX4a0nXseTikrP/KI+fLJddFhEhYE4FSDoVm7b+6ULEjUN4aGFWUT1fy1nwwRV4cz8J9pGuo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715700638; c=relaxed/simple; bh=oUjih/AMFlsT/gup7ocbxKvtp4ZtJPqGdadAC/AAB1o=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=S7XO2b+hQNU1lG3Va6lAucHheU0Bn3/OliPd9AIQCaYsE8vaMPeeY3b1TxgKDtuf7dYBA2cVcbpJ8Cql98chv8YC58qcFjkMURYGib/+c2m5oP1NijC8zRALga04wmasDiPY+8be1Y9oATkhJXm9VvzzjPeDYymJLegaFH/PLjs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=sb+/5ww3; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=gQL+LVF0; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1715700636; bh=oUjih/AMFlsT/gup7ocbxKvtp4ZtJPqGdadAC/AAB1o=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=sb+/5ww30zyArrEXkwVDDa9cO5/IaGqihnMobXWIMXSA3lJsXqP2aMfn9+Ci15zlq 7IQip2vXFpdKYBioIyRTuYG5GjgowJw0bLmbP+U0gvTe3v2uFCoAN6ukZjLgnVK8hc sizsMaJluYIKJKkbkGmy5iOP2FPvEAkhr5z93fgo= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 33E3F12868FD; Tue, 14 May 2024 11:30:36 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id iKTN0KGAPddb; Tue, 14 May 2024 11:30:36 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1715700635; bh=oUjih/AMFlsT/gup7ocbxKvtp4ZtJPqGdadAC/AAB1o=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=gQL+LVF0s8I9cQcflaPdODe24MzQjF9NRS3Em3B3XBCc4eL5+0wRFFVNAYdohF/Vz YMCepLjDyl35JV5XDydO8sHdv8bbBS0bLGkPCh00QlKdBpPvhMbG2sHF4iF0SqSf/D ZhpLdMTaWGCCBlQBgajYfgr6nsJxtJkW30AGi++I= Received: from [172.21.4.27] (unknown [50.204.89.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 668651286A24; Tue, 14 May 2024 11:30:35 -0400 (EDT) Message-ID: <3bfcacf38d4f5ab5c8008f2d7df539012940222e.camel@HansenPartnership.com> Subject: Re: [RFC PATCH 0/2] TPM derived keys From: James Bottomley To: Ignat Korchagin , Jarkko Sakkinen Cc: Mimi Zohar , David Howells , Paul Moore , James Morris , serge@hallyn.com, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Date: Tue, 14 May 2024 09:30:34 -0600 In-Reply-To: References: <20240503221634.44274-1-ignat@cloudflare.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Tue, 2024-05-14 at 14:11 +0100, Ignat Korchagin wrote: >   * if someone steals one of the disks - we don't want them to see it > has encrypted data (no LUKS header) What is the use case that makes this important? In usual operation over the network, the fact that we're setting up encryption is easily identifiable to any packet sniffer (DHE key exchanges are fairly easy to fingerprint), but security relies on the fact that even knowing that we're setting up encryption, the attacker can't gain access to it. The fact that we are setting up encryption isn't seen as a useful thing to conceal, so why is it important for your encrypted disk use case? James